Con men and cash machines (fwd)

[lyons at digitalvoodoo.org (Timothy M. Lyons)]

---------- Forwarded message ----------
** via http://techPolice.com

-
Con men and cash machines
Walt Bogdanich/NYT NYT
Monday, August 4, 2003

They 'skimmed' 21,000 victims' numbers, police say

NEW YORK He fenced stolen jewels, committed bank and credit card fraud and had
been accused of having links to an Albanian-Yugoslav criminal gang. Cloaking
himself in nine aliases and Armani jackets, he was a smooth, multilingual
master of the con, investigators and people who knew him say.

His name is Iljmija Frljuckic, and by all accounts, he had no business being
around anybody else's money.

Yet after being deported in the late 1990's, he slipped back into the United
States and set up shop as a banker, not in a marble lobby under the watchful
eyes of auditors and regulators, but in the virtually unregulated world of
privately owned automated teller machines.

To tap into this electronic network, Frljuckic did not have to produce so much
as a valid driver's license. He simply bought some of these machines, which
are known in Britain as cash machines and are commonly found in convenience
stores, delicatessens and other retail outlets.

He and his associates installed devices that captured, or "skimmed," personal
bank account information from at least 21,000 people, prosecutors say. He and
his associates used that information in 2001 and early 2002 to make fake ATM
cards, then stole at least $3.5 million, mostly from ATM's in New York City,
according to the latest charges filed in May.

Before Frljuckic came along, small-time crooks had made crude forays into ATM
fraud. But in its size and technical sophistication, investigators say, the
Frljuckic case is a con of an entirely different order, a new turn on identity
theft, a jolting warning of the vulnerability of an ATM system that has
exploded in size in the last few years.

No one can say precisely how much is lost through ATM-related crimes. In fact,
no U.S. government agency knows how many cash machines are operating, where
they all are or who owns them. Though banks are reluctant to discuss their
losses, they say there is no cause for alarm. But from Canada to Malaysia to
the United Arab Emirates, investigators report new assaults on ATM's.

The criminals, both foreign and homegrown, include gangs, embezzlers and, on
occasion, money-launderers, according to investigators and public records.

And while ATM industry officials say the Frljuckic case shocked them into
tougher self-policing of privately owned machines, they also confess that the
thieves are remarkably resourceful, shifting their attention now to bank-owned
machines. In recent months, skimming devices have been found attached to bank
machines around Boston and Chicago.

"ATM's have been viewed as a weak point in the banking chain - and so the
criminals have focused on that," said Tom Harper, president of the ATM
Industry Association, the leading trade group.

Banks are supposed to reimburse victims of ATM theft. But unlike credit card
fraud, in which banks are stuck with bills for unauthorized purchases, ATM
thefts take cash from consumers, who may bear the burden of proving that
withdrawals were unauthorized.

Banks are not eager to publicize breaches of ATM security.

"They don't want to give people ideas," said Nessa Feddis, a lawyer with the
American Bankers Association.

Another reason, some financial experts say, is that banks do not want to
undermine confidence in a system that cuts their overhead while making them
billions in fees, collected when their customers use private ATMs or machines
owned by other banks. Several large banks also own parts of a network that
connects the machines and financial institutions.

The biggest ATM fraud in the United States began in late 2000 with trial runs
in California, Florida and New York. At 13 sites, thieves started installing
machines rigged internally to capture bank data and personal identification
numbers, or PIN's.

They were in no hurry; the longer they waited, the more account numbers they
could steal. In four months, with just the dozen or so machines, they had the
electronic keys to 4,000 accounts, fraud investigators say.

Only when the gang began siphoning money did banks and customers realize they
had been scammed. By the time the rigged machines had been identified, they
had vanished, along with their owners and tens of thousands of dollars.

By the end of June 2001, banks had identified the compromised cards and
electronically blocked them.

"They covered their tracks throughout the process," said Michael Urban, who
works for a division of Fair Isaac, a company that helps financial
institutions detect electronic fraud. "We didn't know anything other than they
had good PIN's, good cards."

Investigators say the machines were bought in the names Michael Dokovich and
Michael Bugatti, who turned out to be the same man: Iljmija Frljuckic.

He is believed to have first entered the country in 1981. By the early 1990's,
U.S. authorities had linked him to an Albanian-Yugoslav organized crime gang.

The government wrote in court papers that the group "is believed responsible
for a host of serious crimes, including arson, insurance fraud, bank fraud,
large-scale mail theft, drug-trafficking and sophisticated jewelry heists."

After his release from prison in 1996 on a sentence for bank fraud, a judge
ordered him deported to Yugoslavia. But he soon returned to the United States,
and by then the ATM system had opened its doors to private entrepreneurs.

The system that beckoned Frljuckic runs on the ever-accruing stream of money
from the surcharges first widely permitted in 1996. Today, many customers pay
twice - usually $1 to $3 to the owner of the machine, and $1 to $1.50 to the
bank that issued the card. ATM fees now add up to $4.5 billion annually,
according to Dove Consulting.

An ATM entrepreneur needs a machine and cash, which can be borrowed, to stock
it, and a bank account, so that when a cardholder withdraws money, the
cardholder's bank has some place to send the reimbursement. What the owner
does not need is a license or government approval.

Nasser Alomari is typical of the New York store owners who became unwitting
accomplices in Frljuckic's widening fraud, investigators say.

Alomari, a Yemeni immigrant, had originally owned his own ATM in his
delicatessen. A private company serviced the machine, paying him $1 for each
withdrawal. In a good month, that meant $600.

And until one day in January 2002, that seemed enough. Then a stranger offered
him a better return - $1.75 for each withdrawal. He said the man insisted on
installing his own ATM. Investigators say it had been fitted with a skimming
device.

Records show that the man Alomari dealt with used an alias, as he had in
buying 21 other machines. Investigators say he was Hamdija Frljuckic, brother
of Iljmija. Hamdija Frljuckic began buying machines in August 2001 from an
independent service organization called Money Marketing.

By early November 2001, investigators say, the thieves had collected account
information from about 17,000 New Yorkers. The trap was set.

Jenny Nordberg contributed to this report.

The New York Times